Cloudmark Security Blog

DANE and Email Security

The forthcoming Cloudmark Security Platform for Email 5.2 will include support for DNS-Based Authentication of Named Entities (DANE), a new protocol that enables increased security for email communications. In this article we’ll look at how DANE works, how it can contribute to a more secure email environment, and how it is starting to gain acceptance.

Applications you use on a daily basis employ encryption technologies to keep your information safe. These applications employ the Transport Layer Security (TLS) protocol every time you connect to a website prefixed with “https://”, or when your email client application connects to a TLS enabled email server. Your application initiates and manages the TLS session, enabling encrypted communication between your device and remote systems. By setting up an encrypted tunnel before sending data, you are assured that data you send and receive over the encrypted session is protected from eavesdropping.

One of the key components of TLS is the TLS certificate, often called a Secure Sockets Layer (SSL) certificate after an older protocol that performed the same role. These certificates are something a domain or service owner would deploy to enable communication security and to identify the service to remote applications and systems.

To guarantee a site’s identity, a server must provide a certificate that is trusted by the client. This trust is established by getting the certificate cryptographically signed by a trusted Certificate Authority (CA). CAs are companies in the business of verifying identity and ownership of servers. Your browser has a list of hundreds of trusted CAs that can sign certificates for TLS. In some cases they may delegate this signing authority to other organizations. However, any of these CAs or partner organizations can sign a certificate for any domain, so if a single CA is compromised, then the entire chain of trust is broken. Armed with forged certificates a malicious actor can conduct “man in the middle” (MITM) attacks against many forms of trusted, secure online communication such as online banking or email.

This is not just a theoretical possibility. In 2011, a CA called DigiNotar was compromised, and forged certificates were used to conduct MITM attacks against Iranian Gmail users, enabling access to passwords, email communications and contacts. The responsible party is not known for certain, but many believe it was Iranian government. In 2015, the China Internet Network Information Center issued forged certificates for several Google domains, and in 2016 another Chinese CA, WoSign, issued a forged certificate for Github.com. Most recently, Google has announced that the Chrome browser will be deprecating and removing trust in existing certificates issued by Symantec because insufficient oversight of their partner organizations resulted in the issuance of 30,000 questionable certificates. Clearly, the current Certificate Authority arrangements are inadequate to deal with human negligence or a sufficiently motivated nation state attacker.

To reduce the potential threat of a compromised or malicious CA enabling MITM attacks, a new protocol, DNS-Based Authentication of Named Entities (DANE), was conceived. DANE is based on two existing protocols, Transport Layer Security (TLS) and Domain Name System Security Extensions (DNSSEC).

DNSSEC is intended to guarantee the integrity of DNS, the Internet protocol that converts human friendly domain names like “cloudmark.com” into the numeric IP addresses that are used by Internet routers. A malicious DNS server could route your traffic to the wrong place to obtain your email, banking or other credentials using man in the middle attacks. Again, this is not just a theoretical possibility. Between 2007 and 2012 the DNSChanger malware infected as many as four million home computers, forcing them to use rogue DNS servers that intercepted requests for banner ads and displayed alternative advertising for which the criminals received payment. This attack could have been far more destructive – it was as if a burglar broke into your home just to leave advertising leaflets on your coffee table.

Like TLS, DNSSEC relies on a chain of certificate signatures, but in this case there is only one permitted path. Each level of a fully qualified domain name must be signed by the level above. Thus, the certificate that guarantees “cloudmark.com” must be signed by “.com”, and the “.com” top level domain must be signed by the root DNS certificate. The DANE protocol (https://tools.ietf.org/html/rfc6698) allows a DNS server that is authenticated by DNSSEC to also authenticate a TLS certificate. There are thus far fewer places where the chain of trust can be compromised.

DANE has seen significant deployment growth in the email world, where it can help to guarantee the integrity of server to server and client/server communications (see https://tools.ietf.org/html/rfc7672). As of February 2017, over 110,000 email domains were configured to support DANE-validated email transactions. This list includes major email providers, ISPs, and governmental organizations who were supporting DANE for inbound mail.

The National Institute of Standards and Technology has published a draft Cybersecurity Practice Guide on DNSSEC and DANE which states: “Implementation of the platform will be increasingly important as a market discriminator as public awareness of email security and privacy issues grows.” (See https://nccoe.nist.gov/publication/draft/1800-6/)

With email hacking becoming the new normal in politics, we expect other governments to follow suit. DANE does not stop all possibility of email compromise, but it does drastically reduce the surface for man in the middle attacks. By including DANE in Cloudmark Security Platform for Email 5.2, we are pleased to be able to contribute to more secure email communications for our clients and their users.